Application Delivery Controllers the Swiss Army Knife

The Application Delivery Controller continues to increase market share in the enterprise networking space, but I’m not sure everyone understands the value of this device, and why this network component has become an important part of the enterprise.


The most common task of an ADC is load balancing, and not that long ago most of these devices were called load balancers, but these devices evolved into ADC’s.  I’ve always tried to correct people when they call the Netscaler a Load Balancer, because this doesn’t do it justice, the Netscaler is like my swiss army knife, where it has many functions and I can solve many architecture challenges.

The fundamental different between ADC’s and other network devices like firewalls/routers and switches is the ADC is a proxy, and therefore terminates TCP and UDP connections, and creates new connections between the proxy and resource.  It is this fundamental difference that gives the device so much power

and flexibility over other network devices that are generally just routing or switching packets.

Here is a list of feature that most ADC’s will have

  • Load Balancing
  • SSL Offloading
  • Caching/Compression
  • TCP Multiplexing
  • Authentication
  • Authorization
  • Auditing
  • Routing
  • Switching
  • Content Switching
  • Application Firewall
  • DNS
  • Global Server Load Balancing
  • Many HTTP features

As HTTP has become the protocol of choice for some many applications today, the ADC’s has become the master of controlling, manipulating and transforming the HTTP protocol.

The placement of the ADC is commonly placed between the user’s and the server’s, so it is common to have this device in the data center network to control application delivery.  It is also common to have this device in the DMZ to be used as a reverse proxy between the internet and data center network.  It is also becoming popular to use the ADC in the data center network between internally data center services, for example front end web server’s and the database.

I believe the ADC will become an essential component in the enterprise.  Software Defined Network (SDN) will enable these devices to be easily architectured into the network, especially with the emerging technologies like Network Services Header (NSH) that will enable service chaining.


End of an Era for VPN?

The legacy method of granting users access to applications in the enterprise is to extend the network perimeter to the client. This is achieved by routing the traffic between the client and the network edge in one secure tunnel. This approach poses a security risk as the user usually has full access to all network resources and applications.

The next problem with legacy VPNs is that it is based on Layer 3. This means your security policies are based on IP information, for example Access Control Lists (ACLs). ACLs are hard to manage and are not application centric.

Zscaler Private Access could disrupt the Virtual Private Network (VPN) market with a new approach on how to connect users to applications securely.  Zscaler Private Access (ZPA) is cloud service that can securely connect users to applications without extending the network perimeter and without routing.  The Zscaler Application (ZApp) client securely presents applications to the client, therefore removing the network complexities and security risk from legacy VPN technologies.

ZScaler has an interesting approach, they have moved the security model up the network stack from ISO Layer 3 to 7 and based the entire system on Domain Name Systems (DNS) instead of Internet Protocol (IP). This is more application centric approach and solved many challenges we have at Layer 3, like routing, IP overlap, Network Address Translation (NAT), 4to6 NAT, IP4 Scalability.  All these network headaches disappear and now I can control application access.

The granular application policy is also based on DNS, this policy can be dynamically applied to the end user.  This idea follows the Zero Trust Model, where you only grant user access to applications and systems they require and not to your entire network.  There is also a method of using wildcard domains if you don’t want follow the this model.

ZPA is using federation via Security Assertion Markup Language (SAML), so easy to integrate with your external IDP or internal Microsoft ADFS.  The SAML claims define the user application access policy, the claims are linked to an application name that consist of the domain name and port number in the simplest form.

Without going into a deep dive on how this is working, you could say this is more like a Proxy VPN based on an Software Defined Network (SDN) in the cloud, every TCP session and UDP stream is proxied multiple times. The ZScaler cloud will always find the best path to the application and dynamically create a one hop encrypted tunnel for each application, so you could call this Software Defined Security (SDS).

I believe this application centric technology will improve security, flexibility, scalability and most important simplify the complex legacy VPN solutions we often see in the enterprise.

I am looking forward to how this disruptive technology will change the current IT landscape, and how enterprises will start solving security challenges, like Internet of Things (IoT), company mergers, contractor access, and securing the end user device.